Authentication
All API and MCP requests require authentication via a Bearer token in the Authorization header.
API tokens
Section titled “API tokens”Generate tokens in Settings → API Tokens at app.myhypedoc.com/settings.
Authorization: Bearer hdoc_xxxxxxxxxxxxxxxxxxxxTokens are hashed at rest — you can only see the full token once at creation time. If you lose a token, revoke it and create a new one.
Using tokens
Section titled “Using tokens”curl https://app.myhypedoc.com/api/v1/wins \ -H "Authorization: Bearer hdoc_xxxxxxxxxxxxxxxxxxxx"# Interactive browser loginhype auth login
# Or set a token directly (CI/scripts)hype auth token hdoc_xxxxxxxxxxxxxxxxxxxxexport HYPEDOC_TOKEN=hdoc_xxxxxxxxxxxxxxxxxxxxhype listOAuth 2.1 (MCP)
Section titled “OAuth 2.1 (MCP)”The MCP server uses OAuth 2.1 with PKCE for authentication. MCP clients like Claude Desktop and Cursor handle the OAuth flow automatically using the well-known discovery endpoints:
| Endpoint | URL |
|---|---|
| Protected Resource Metadata | https://app.myhypedoc.com/.well-known/oauth-protected-resource |
| Authorization Server Metadata | https://app.myhypedoc.com/.well-known/oauth-authorization-server |
See MCP OAuth 2.1 Flow for the full specification.
Unauthenticated requests
Section titled “Unauthenticated requests”Requests without a valid token receive a 401 Unauthorized response:
{ "error": "Authentication required"}Unauthenticated API requests are rate-limited to 10 requests per minute per IP. See Rate Limits.